{"title":"使用静态-动态混合分析审计缓冲区溢出漏洞","authors":"Bindu Padmanabhuni, Hee Beng Kuan Tan","doi":"10.1109/COMPSAC.2014.62","DOIUrl":null,"url":null,"abstract":"Despite being studied for more than two decades buffer overflow vulnerabilities are still frequently reported in programs. In this paper, we propose a hybrid approach that combines static and dynamic program analysis to audit buffer overflows. Using simple rules, test data are generated to automatically confirm some of the vulnerabilities through dynamic analysis and the remaining cases are predicted by mining static code attributes. Confirmed cases can be directly fixed without further verification whereas predicted cases need to be manually reviewed to confirm existence of vulnerabilities. Since our approach combines the strengths of static and dynamic analyses, it results in an overall accuracy improvement. In our evaluation of approach using the standard benchmark suite, our classifiers achieved a recall over 92% and precision greater than 81%. The dynamic analysis component confirmed 51% of known vulnerabilities along with reporting 2 new bugs, thereby reducing by half, otherwise needed manual auditing effort.","PeriodicalId":106871,"journal":{"name":"2014 IEEE 38th Annual Computer Software and Applications Conference","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-07-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":"{\"title\":\"Auditing Buffer Overflow Vulnerabilities Using Hybrid Static-Dynamic Analysis\",\"authors\":\"Bindu Padmanabhuni, Hee Beng Kuan Tan\",\"doi\":\"10.1109/COMPSAC.2014.62\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Despite being studied for more than two decades buffer overflow vulnerabilities are still frequently reported in programs. In this paper, we propose a hybrid approach that combines static and dynamic program analysis to audit buffer overflows. Using simple rules, test data are generated to automatically confirm some of the vulnerabilities through dynamic analysis and the remaining cases are predicted by mining static code attributes. Confirmed cases can be directly fixed without further verification whereas predicted cases need to be manually reviewed to confirm existence of vulnerabilities. Since our approach combines the strengths of static and dynamic analyses, it results in an overall accuracy improvement. In our evaluation of approach using the standard benchmark suite, our classifiers achieved a recall over 92% and precision greater than 81%. The dynamic analysis component confirmed 51% of known vulnerabilities along with reporting 2 new bugs, thereby reducing by half, otherwise needed manual auditing effort.\",\"PeriodicalId\":106871,\"journal\":{\"name\":\"2014 IEEE 38th Annual Computer Software and Applications Conference\",\"volume\":\"36 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-07-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"13\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 IEEE 38th Annual Computer Software and Applications Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/COMPSAC.2014.62\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE 38th Annual Computer Software and Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/COMPSAC.2014.62","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Auditing Buffer Overflow Vulnerabilities Using Hybrid Static-Dynamic Analysis
Despite being studied for more than two decades buffer overflow vulnerabilities are still frequently reported in programs. In this paper, we propose a hybrid approach that combines static and dynamic program analysis to audit buffer overflows. Using simple rules, test data are generated to automatically confirm some of the vulnerabilities through dynamic analysis and the remaining cases are predicted by mining static code attributes. Confirmed cases can be directly fixed without further verification whereas predicted cases need to be manually reviewed to confirm existence of vulnerabilities. Since our approach combines the strengths of static and dynamic analyses, it results in an overall accuracy improvement. In our evaluation of approach using the standard benchmark suite, our classifiers achieved a recall over 92% and precision greater than 81%. The dynamic analysis component confirmed 51% of known vulnerabilities along with reporting 2 new bugs, thereby reducing by half, otherwise needed manual auditing effort.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
